Active computers reporting to splunk last 30 days

cyler · ‎04-05-2018

I would like to know how to search for all computers that are reporting to Splunk in the last 30 day.

Thank you

cyler · ‎04-06-2018

Forgive my being naive - Here is what result I get back

DalJeanis · ‎04-06-2018

get rid of everything before the first pipe

elliotproebstel · ‎04-05-2018

You could try these:

| tstats latest(_time) AS latest where index=* by host

or
| metadata type=hosts
Either should work.

adonio · ‎04-05-2018

many ways to go about it ...
try this |metadata type=hosts
see the output of the command and start exploring ...
heres a link to the doc that has more elaborated examples:
http://docs.splunk.com/Documentation/Splunk/7.0.3/SearchReference/Metadata
hope it helps

cyler · ‎04-06-2018

index=my_index* | metadata type=hosts

Error in 'metadata' command: This command must be the first command of a search.
The search job has failed due to an error. You may be able view the job in the Job Inspector.

adonio · ‎04-06-2018

please read the doc
metadata is a generating command has to be first
no need for index = something before
place this in your searchbae literally |metadata type=hosts

skulk · ‎04-05-2018

Hi,

You should ru search like this one (set time-range picker for last 30 days):

index=* | stats count by host

This search will show you all hosts and number of events from each other.

Active computers reporting to splunk last 30 days

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

Monitoring Amazon Elastic Kubernetes Service (EKS)